search

springdoc / springdoc.github.io

Library for OpenAPI 3 with spring-boot
https://springdoc.org
Apache License 2.0
9 stars 42 forks source link

Misleading docs - web UI url's #42

Closed duzenko closed 1 year ago

duzenko commented 1 year ago

Describe the bug

The docs here explicitly direct user to expect the web UI under the endpoints http://server:port/context-path/swagger-ui.html and http://server:port/context-path/v3/api-docs and as such to configure Spring security against those url's.

In reality, though, the following security config works:

                .and().authorizeRequests().antMatchers("/api-docs/**").permitAll()
                .and().authorizeRequests().antMatchers("/swagger-ui.html").permitAll()
                .and().authorizeRequests().antMatchers("/swagger-ui/**").permitAll()

Note the lack of 'v3' before api-docs.

Additionally, swagger-ui.html is redundant as it's simply redirecting to swagger-ui/index.html. It will not work unless user allows the swagger-ui/** path and swagger-ui/index.html will work already with just that path without the separate rule for swagger-ui.html.

I expect that most real-life spring projects use spring security so omitting this config step is adding headache for every new user.

bnasslahsen commented 1 year ago

Feel free to propose a PR to update the doc